On 11 October 2012 13:19, Arun Khan <knura9 at gmail.com> wrote:
> On Sun, Oct 7, 2012 at 10:20 AM, Sunil Beta Baskar <betasam at gmail.com> wrote:
>> ... snip ...
>>> [ SetUID bit ]
>> Behavior on linux-kernel 3.2.x with
>> $ chmod a+s somefolder
>> $ ls -ltr somefolder
>> shows all files inside somefolder with their original rights and
>> *owners* on ext4. This is on Debian Wheezy.
>>>> Although the setUID bit is still used, it is not recommended if you
>> want to have any sense of security on a system.
>> Per your recommendation about usage of SetUID bit, please suggest
> alternatives for the following that come to my mind offhand (I :
>> $ for x in sudo X chsh passwd; do ls -l $(which ${x}); done
> -rwsr-xr-x 1 root root 71248 Jan 31 2012 /usr/bin/sudo
> -rwsr-sr-x 1 root root 10184 Mar 22 2012 /usr/bin/X
> -rwsr-xr-x 1 root root 37096 Apr 9 2012 /usr/bin/chsh
> -rwsr-xr-x 1 root root 42824 Apr 9 2012 /usr/bin/passwd
The best alternative (except for sudo) is to use 'file capabilities'
which can be manipulated using setcap. Here's a list of all the setuid
programs in a GNU/Linux distribution and how you could remove
setuid/setgid and choose file capabilities in a more fine-grained
manner. The package candidate for installing setcap is libcap2-bin on
my Debian Wheezy box.
https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid
X can be run without the setuid bit, that can be done if you have
enough time to build it. The tough one from which you'd want to pull
that setuid bit off would be 'mount'; right now it results in
permission nightmares.
Beta